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Abstract —Networked Automation Systems (NAS) have to 
meet stringent response time during operation. Verifying re¬ 
sponse time of automation is an important step during design 
phase before deployment. Timing discrepancies due to hard¬ 
ware, software and communication components of NAS affect 
the response time. This investigation uses model templates for 
verifying the response time in NAS. First, jitter bounds model 
the timing fluctuations of NAS components. These jitter bounds 
are the inputs to model templates that are formal models of 
timing fluctuations. The model templates are atomic action 
patterns composed of three composition operators- sequential, 
alternative, and parallel and embedded in time wrapper that 
specifies clock driven activation conditions. Model templates 
in conjunction with formal model of technical process offer 
an easier way to verify the response time. The investigation 
demonstrates the proposed verification method using an indus¬ 
trial steam boiler with typical NAS components in plant floor. 

I. Introduction 

Networked automation systems (NAS) in industrial au¬ 
tomation refer to systems with networked sensors, actuators 
and controllers [1]. Response time is defined as the difference 
between the cause of an event (a new sensor measurement) 
to the effect on the technical process. Industrial automation 
systems are real-time systems requiring fast response times 
(typically in milli-seconds). Response time in NAS need 
to be verified during design phase to avoid re-design after 
deployment. The importance of response time in NAS is 
demonstrated from the numerous approaches proposed in 
literature (see, [2]-[4] and references therein). Computing the 
bound of timing fluctuations remains the focus of these ap¬ 
proaches. Numerous applications of NAS has been reported 
in literature (see,[20]-[22] and references therein). 

Timed model-checking is a promising technique to analyse 
critical systems, because it performs exhaustive checking 
using formal models. Recent research uses tools from model¬ 
checking to verify the response time in NAS. To our best 
knowledge, Frey et al. [5] were the first to use model¬ 
checking tools in NAS to study component failures using 
probabilistic model checking (PMC) without proposing a 
formal model. Later, the authors studied the simulation 
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of response time using Dymola/Modelica NAS component 
models in [6]. This method suffers from the limitations of 
simulation i.e. to test specific scenarios against exhaustive 
verification offered by model checking. The model-checking 
methods proposed in [7] and [8] lack the support of mod¬ 
elling framework and therefore, are restricted to specific 
architecture or scenarios. Vogel-Heuser et al. [9] presented 
a component oriented modelling approach that captures the 
timing requirements and specifications to verify response 
time in NAS. 

A reading of the literature reveals that modelling the 
timing fluctuations due to communication, physical and 
software components of NAS and their time-variations offer 
stiff challenge to verify the timing performance using timed- 
model checking. To overcome these challenges, this inves¬ 
tigation uses NAS component models capturing the timing 
fluctuations as jitter. Composition of these components using 
the time-chain model in [9] with additional specification 
on jitter bounds, and nature of their variation (termed as 
behaviour) leads to the jitter time-chain. The jitter time-chain 
is used to create model templates of NAS components for 
verifying response times. The model templates are atomic 
action patterns with three composition operators to model 
the jitter. The model templates of jitter in conjunction 
with the formal model of the process defines the formal 
model required for verifying the response time. The use 
of model template simplifies the procedure for generating 
formal model useful for verifying response time of NAS. 

The main contributions of this investigation are- jitter 
based model for verifying the timing performance of NAS, 
model patterns that use jitter bounds to model the timing 
imperfections, and illustration of the verification procedure 
using steam boiler in industrial plant-floor. The paper has 
five sections including the introduction. Section II, presents 
the jitter based timing model of NAS and the discussion 
on model patterns is in section III. Example in section IV 
illustrates the use of model templates, and section V presents 
the conclusion of the investigation. 

II. Modelling Timing Imperfections in NAS 

The timing imperfections in NAS are due to hardware, 
software, and communication components. Hardware timing 
imperfections are due to sensors, actuators, signal process¬ 
ing, and controller hardware. Fig. 1 shows the sources of 
hardware jitter in NAS. The hardware jitter is modelled to 
be constant as the variation happens over long-time frames. 
Software jitter are mainly due to scheduling, cache memory, 
pre-emption, interrupts, context switching, dynamic control 



algorithms, multiple loops and asynchronous communication 
between tasks. As software timing imperfections are usually 
measured using execution times (such as best-case execution 
time, worst-case execution time, average execution time etc.) 
they naturally suggest the use of deterministic model. 

The timing imperfections in NAS can be broadly classified 
into three broad categories, they are: (i) hardware, (ii) 
software, and (iii) network- induced [10], [20]. Model of the 
timing discrepancies is required to verify the response time 
using formal models. Based on the timing imperfections the 
delay time-chain can be drawn as shown in Fig. [2] 

Hardware timing imperfections are due to sensors, actua¬ 
tors, signal processing, and controller hardware. The sources 
of hardware jitter in NAS due to NAS components is shown 
in Fig. [T] This investigation proposes to model the hard¬ 
ware jitter as constant, as usually the timing imperfections 
are found to vary over long time-frames. Software jitter 
are mainly due to scheduling, cache memory, pre-emption, 
interrupts, context switching, dynamic control algorithms, 
multiple loops and asynchronous communication between 
tasks. As software timing imperfections are usually measured 
using execution times (such as best-case execution time, 
worst-case execution time, average execution time etc.) they 
naturally suggest the use of deterministic model. 


time-varying but bounded as 

j c £[jz in ,jr x } a) 

where Jc is the total communication jitter, J™ in and J™ ax 
are the minimum and maximum communication jitter, re¬ 
spectively. Therefore, the total jitter in NAS is 

Jt = Jh + Js + Jc (2) 

where Jt is the total jitter in the NAS, Jh , and Js are the 
hardware, software, and communication jitter, respectively. 
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Fig. 1. Hardware timing jitter 

Communication related timing imperfections include la¬ 
tencies, and data-loss. Latencies in communication channels 
depend on many parameter such as length of communication 
channel, channel load, protocol employed, network interface 
card employed in automation, and contention ratio. As these 
parameters are inherently random, they make communication 
latencies time-varying and many models have been proposed 
for modeling time-varying delays (see, [10]-[19]). The timing 
imperfections are modeled using jitter bounds on individual 
components. Communication jitter is modeled using to be 


Fig. 2. Time-Chain for timing performance specification 


III. Model Patterns for Response Time 
Verification 

Having obtained the model of NAS by composing com¬ 
ponents, the time chain can be generated as a formal model 
using model patterns that take the jitter bounds as inputs. 
To construct the time-chain, this investigation assumes two 
types of timing performance components: 

• components that are activated by some external event 
using model patterns (see, model patterns in Fig. [3} 

• components are activated periodically each with possi¬ 
bly different period and jitter 

To model timing fluctuations this investigation proposes 
structural modeling approach that considers the models that 
are constructed from an atomic action pattern (Figure 4(a)) 
by means of three composition operators: sequential (Fig. 
3T)), alternative (Fig. [3] (c)), and parallel composition ((Fig. 
3 (d)). For parallel composition an additional channel match¬ 
ing constraint is required: when ever there is a synchroniza¬ 
tion condition in one of the parallel components then there 
must be also matching synchronization condition in the other 
parallel component. We call the models constructed that way 
well-formed models. Atomic action model pattern captures 
the lower and upper bound as [lbound Abound] as shown in 
Fig. [3] (a). This model pattern for delay is particularly useful 
in scenarios requiring action triggered by an external event 
(induced by another component). The communication jitter 
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Fig. 3. Delay model patterns 


on a component can be modeled using interval characteriza¬ 
tion of the jitter. 

Sequential and alternative compositions are defined as 
applications of location merging operator 0 on two well- 
formed timed automata. 



Fig. 4. Timing Wrapper 


with that of the technical process. Thus timing model of the 
time-chain (see, Fig. [2} for timing performance specification 
can be constructed from patterns 1-4 depending on the way 
of activation of each component in the time chain. 

The next step of the work-flow consists of simulation 
of both the process and the timing components to identify 
critical operating points of the technical process and the test 
conditions for the NAS timing components. Simulation of 
technical process can be used to identify the critical points 
that needs to be tested. The following example illustrates the 
use of simulation to study the timing performance. 


Posh 0 Pre 2 (3) 

where Post\ and Pre 2 indicate respectively the Post- and 
Pre-locations of the first and second component automata 
post-conditions of the automata (see, Fig. [3] (b). This can 
be used in scenarios wherein one timing imperfection due 
to one component results in timing imperfection in other 
component. 

The other composition model pattern is the alternative 
composition shown in Fig. [3] (c) and the result of the model 
pattern is given by 

Prei +Pre2 V Post\ +Post 2 V (Prei +Pre 2 , Post \, Post 2 ) 

(4) 

In parallel composition (||) shown in Fig. [3] (d) the in and 
out indicate the channel name suffixes , and ? indicate the 
synchronization direction. The model patterns of Fig. [3] give 
the formal models for capturing jitter in NAS along with the 
physical components that are triggered by an external event 
(synchronization condition ”in?” in Fig. [3ja)). 

A. Timing Wrapper 

For modeling the periodically triggered (by clock) actions 
the construct timing wrapper is introduced in addition to 
main model patterns described in Subsection A. (Due to 
the limited space other clock triggered activation patters 
implementable in Timing Wrapper are not considered in this 
paper. ) timing wrapper introduces an auxiliary clock Cl 
that is needed for modelling the activation period with jitter 
within the interval [Jitib, Jit u b\ as shown in Fig. [4] 

The model patterns described in this section along with 
the timing wrapper can be used to capture the timing 
imperfections as jitter in the formal model of NAS along 


IV. Results 

This section presents an example of using the work-flow 
for timed-model checking. The example considered is a 
steam boiler. 

A. Description of the Technical Process 

The steam boiler consists of two pumps Pi and P 2 and 
heater as shown in Fig. [5] Here, w, u\{t), u 2 (t ), d denote 
the water-level of the boiler (w > 0), inflow of pump 1 in 
l/min, inflow of pump 2 in l/min, and the power of the 
boiler. The vaporization ratio is denoted using r. 



Fig. 5. Steam Boiler 

Assumptions: 

At each point of time t pump Pi either is working (ui(t) = 
Pi) or is stopped (ui(t) = 0). There is delay Ti between i-th 
switching on and when the pump starts actually pumping. 
There is no such a delay when the pump is switched off. 

The working of steam boiler can be described using the 
hybrid automata in Fig. [6] 





























































Fig. 6. Hybrid model of the boiler 


The model-templates using action model patterns and 
composition operators can be used to construct the formal 
model of the timing fluctuations, and time-wrapper can be 
used in case of periodic operations. This formal model can 
be composed with the formal model of the components of 
the steam boiler that could be used for verifying the response 
times of NAS. These formal models are modeled in UPPAAL 
as timed-automata [23] models shown in Fig. [7] The reaction 
time verification on given model is implemented by a model 
checking query that uses standard TCTL logic operator ’’time 
bounded leads to”, i.e., Stimulus —^ Response, where Stim¬ 
ulus and Response are 1st order state formuli that specify 
the begin and end events of the reaction time bound d to be 
verified. 



Fig. 7. UPPAAL formal model of the steam boiler with model templates 


V. Conclusion 

This paper presented a simulation driven verification work- 
flow for verifying the response time in NAS. The approach 
modelled the timing discrepancies in the NAS components 
using jitter bounds based on their occurrence as constant, 
deterministic and time-varying. Obtained jitter bounds were 
used to generate model templates considering various sce¬ 
narios that arise in NAS. Then simulation is done on the 
technical process along with knowledge of jitter to obtain 


results useful for model abstraction and verification. The 
inputs from the modelling, template generation, and simu¬ 
lation steps are used to verify the response time of the NAS. 
The work-flow was illustrated using a plant-floor example 
of steam boiler and pH neutralization process. Extending the 
work-flow to verify other timing properties and extending 
to verify multi-core automation systems are future course of 
this investigation. 
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